Re: GPG verification of patch vulnerability CVE-2008-5077..

Fri, 09 Jan 2009 12:28:56 -0800 

Thanks. I proceeded a bit further but gpg reports the following despite it
having already imported the key you suggested.

% gpg -o /dev/null -v < ~/openssl_dsa_advisory.asc
gpg: armor header: Hash: SHA1
gpg: armor header: Version: GnuPG v1.4.6 (GNU/Linux)
gpg: original file name=''
gpg: Signature made Wed 07 Jan 2009 05:00:43 AM PST using RSA key ID
F295C759
gpg: using PGP trust model
gpg: *BAD signature *from "Dr Stephen Henson <shen...@drh-consultancy.co.uk
>"
gpg: textmode signature, digest algorithm SHA1

Here is the list of public keys my GPG has:
% gpg --list-public-keys
~/.gnupg/pubring.gpg
---------------------------------
pub   2048R/F295C759 1998-12-13
uid                  Dr Stephen Henson <shen...@drh-consultancy.co.uk>
uid                  Dr S N Henson <shen...@drh-consultancy.demon.co.uk>
uid                  Dr Stephen Henson <
stephen.hen...@opennetworksecurity.com>

pub   1024D/89A36572 1999-12-12
uid                  OpenSSL Team Security Key (WARNING: SHARED KEY) <
openssl-secur...@openssl.org>
sub   4096g/7C2C567F 1999-12-12

Thanks,

Vineet
On Fri, Jan 9, 2009 at 9:33 AM, Dr. Stephen Henson <st...@openssl.org>wrote:

> On Fri, Jan 09, 2009, Vineet Kumar wrote:
>
> >
> > Before taking in the patch for the recent security advisory for
> > vulnerability CVE-2008-5077, I want to verify its authenticity using GPG.
> > However, I get this:
> > ***********
> > % (gpg --list-keys 89A36572 > /dev/null 2>&1 || gpg --recv-keys
>  89A36572)
> > && gpg --verify openssl_dsa_advisory.asc
> > gpg: Signature made Wed 07 Jan 2009 05:00:43 AM PST using RSA key ID
> > F295C759
> > gpg: Can't check signature: public key not found
> >
>
> We don't use that shared key. That was signed with my key with ID F295C759.
> See http://www.openssl.org/about/
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       openssl-dev@openssl.org
> Automated List Manager                           majord...@openssl.org
>

Reply via email to